The UK's communications regulator has laid out guidance on how online services might perform age checks as part of the Online Safety Act.
The range of proposals from Ofcom are likely to send privacy activists running for the hills.
These include credit card checks, facial age estimation, and photo ID matching.
The checks are all in the name of protecting children from the grot that festoons large swathes of the world wide web.
Service providers will likely be stuck between a rock and a hard place in implementing the guidance without also falling foul of privacy regulations.
Open banking, where a bank confirms a user is over 18 without sharing any other personal information.
Mobile network operator age check, where the responsibility is shunted onto an MNO content restriction filter that can only be removed if the device user can prove to the MNO that they are over 18.
Photo ID matching, where an image of the user is compared to an uploaded document used as proof of age to verify that they are the same person.
Credit card checks, where a credit card account is checked for validity - in the UK, credit card holders must be over 18.
Digital identity wallets and, our favorite, facial age estimation, where the features of a user's face are analyzed to estimate the user's age.
In 2022, the UK government threatened the requirement of handing over all range of personal data to access social media sites.
The idea of age verification was floated years before and has returned as part of the Online Safety Bill.
The previous time around, the idea of allowing certain firms to work as information collaters / age verification service providers was floated, with critics correctly surmising this would create huge jackpot targets of citizen data.
In 2022, Daniel Pryor, then head of research at the Adam Smith Institute think tank, warned that any tech-savvy teen would likely be able to circumvent restrictions, while adults entering their details stood every chance of being exposed in the event of a data breach.
The Ofcom proposals include guidance on data protection as well as age assurance, all of which will add to the burden faced by operators trying to deal with age checks while also ensuring user data is protected.
No, simply asking the user to confirm they are over 18 or popping up a disclaimer isn't going to be sufficient to satisfy the regulator.
Ofcom is vague when it comes to defining what constitutes such a number.
Ofcom also states that sites must not provide information or links to Virtual Private Network providers.
There is every risk that by throwing up such blocks, users will be tempted to look into the technology, which carries its own dangers.
The final guidance is due in early 2025, after which Ofcom expects the UK government to bring the duties into force.
This Cyber News was published on go.theregister.com. Publication date: Tue, 05 Dec 2023 10:43:06 +0000